Update Firefox Now

If you use Firefox, you need to update it right now. There’s a zero-day vulnerability being actively exploited. The particular exploit that has been discovered affects Windows and Linux but not OS X; however, OS X users should still upgrade.

And after you’ve upgraded, install an ad blocker. Ads are a frequent vector for this kind of exploit. You can whitelist sites you trust if you want to support them.

Advertisements

Stagefright Android Vulnerability

This looks like a bad one. An attacker can execute their own code on many Android phones simply by sending an MMS message, and in some cases you don’t even have to view the message to be infected. And the whole Android software update ecosystem is a complete mess, so very many phones will never get patched for it. At the time of writing it seems like there are almost no fixes available from handset suppliers, although the vulnerability was discovered and reported (by Joshua Drake at Zimperium zLabs) in April.

There’s not much you can do about other than waiting for your supplier to release a fix. It’s worth changing the settings in apps like Messenger and Hangouts that can receive MMS messages to not “automatically receive MMS messages”. If your Android version uses Messenger for SMS messages, you can block messages from people you don’t know, but of course that could block messages that you want to receive.

If you’re on an old handset — and that may mean only a few months old — you may never get a fix. I would certainly avoid opening messages that you’re not expecting from anyone you don’t know, but it seems that may not be enough on at least some phones — the bug is much harder to exploit on iOS versions 4.1 and later, so they’re potentially less affected. If your Android version is so old that it’s 2.1 or earlier, then you’re not affected at all.

It’s this kind of thing that frankly makes me question whether anyone should be buying an Android phone, except for a Nexus or another phone made by Google themselves. The manufacturers don’t regard themselves as software companies, and so don’t pay enough attention to software issues and getting updates out to users, especially users on handsets that aren’t being manufactured any more.

More later, when we have clearer details of exactly who is affected and how bad it is.

Edited to add: Here is the original blog post announcing the vulnerability.